[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IKEv2 AUTH payload
Hi,
IKEv2-13 says that the entire IKE message (from the first octet to last octet of
the paylod) will be signed. I am assuming that the AUTH payload is not included
(even the nullified one -- all set to 0) for signature. It means that the AUTH
payload will be the last one in the IKE message and message is signed up to the
beggining of the AUTH payload.
Is above the right interpretation? If so, it may be a good idea to clarify this
in the spec.
Thanks.
Kevin
Cisco Systems
============= Quote from IKEv2-13 --- Start
2.15 Authentication of the IKE_SA
When not using extended authentication (see section 2.16), the peers
are authenticated by having each sign (or MAC using a shared secret
as the key) a block of data. For the responder, the octets to be
signed start with the first octet of the first SPI in the header of
the second message and end with the last octet of the last payload in
the second message. Appended to this (for purposes of computing the
signature) are the initiator's nonce Ni (just the value, not the
payload containing it), and the value prf(SK_ar,IDr') where IDr' is
the responder's ID payload excluding the fixed header. Note that
neither the nonce Ni nor the value prf(SK_ar,IDr') are transmitted.
============ Quote from IKEv2-13 --- End